Tag Archive: Malware


Bitcoins, other digital currencies stolen in massive ‘Pony’ botnet attack

Cybercriminals have infected the computers of digital currency holders, using a virus known as “Pony” to make off with account credentials, bitcoins and other digital currencies in one of the largest attacks on the technology, security services firm Trustwave said.

The attack was carried out using the “Pony” botnet, a group of infected computers that take orders from a central command-and-control server to steal private data. A small group of cybercriminals were likely behind the attack, Trustwave said.

Over 700,000 credentials, including website, email and FTP account log-ins, were stolen in the breach. The computers belonging to between 100,000 and 200,000 people were infected with the malware, Trustwave said.

The Pony botnet has been identified as the source of some other recent attacks, including the theft of some 2 million log-ins for sites like Facebook, Google and Twitter. But the latest exploit is unique due to its size and because it also targeted virtual wallets storing bitcoins and other digital currencies like Litecoins and Primecoins.

Eighty-five wallets storing the equivalent of $220,000, as of Monday, were broken into, Trustwave said. That figure is low because of the small number of people using Bitcoin now, the company said, though instances of Pony attacks against Bitcoin are likely to increase as adoption of the technology grows. The attackers behind the Pony botnet were active between last September and mid-January.

“As more people use digital currencies over time, and use digital wallets to store them, it’s likely we’ll see more attacks to capture the wallets,” said Ziv Mador, director of security research at Chicago-based Trustwave.

Most of the wallets that were broken into were unencrypted, he said.

“The motivation for stealing wallets is obviously high—they contain money,” Trustwave said in a blog post describing the attack. Stealing bitcoins might be appealing to criminals because exchanging them for another currency is easier than stealing money from a bank, Trustwave said.

There have been numerous cyberattacks directed at Bitcoin over the last year or so as its popularity grew. Last year, a piece of malware circulating over Skype was identified as running a Bitcoin mining application. Bitcoin mining is a process by which computers monitor the Bitcoin network to validate transactions.

“Like with many new technologies, malware can be an issue,” said a spokesman for the Bitcoin Foundation, a trade group that promotes the use of Bitcoin, via email. Wallet security should improve, the spokesman said, as more security features are introduced, like multisignature transactions, he said.

Digital currency users can go to this Trustwave site to see if their wallets and credentials have been stolen.

Source: PC World

Researchers Say They Took Down World’s Third-Largest Botnet

On Wednesday, computer security experts took down Grum, the world’s third-largest botnet, a cluster of infected computers used by cybercriminals to send spam to millions of people. Grum, computer security experts say, was responsible for roughly 18 percent of global spam, or 18 billion spam messages a day.

Computer security experts blocked the botnet’s command and control servers in the Netherlands and Panama on Tuesday. But later that day, Grum’s architects had already set up seven new command and control centers in Russia and Ukraine. FireEye, a computer security company based in Milpitas, Calif., said it worked with its counterparts in Russia and with SpamHaus, a British organization that tracks and blocks spam, to take down those command and control centers Wednesday morning.

The researchers said they were able to vanquish the botnet by tracing Grum back to its servers and alerting Internet service providers to shut those computers down.

Technologists have taken the lead in combating digital crime rather than waiting for law enforcement authorities to act. Earlier this year, Microsoft employees assisted federal marshals in a raid on botnet servers in Pennsylvania and Illinois. Those servers were used by criminals to run Zeus, a botnet that siphoned people’s personal information, like online bank account passwords and credit card numbers, from infected computers. Almost simultaneously, a separate group of cybersecurity researchers in San Francisco were busy eliminating another botnet, called Kelihos.b, which was used to send spam.

While computer security companies are quick to publicize botnet takedowns, their gains tend to be temporary. The blocking of Kelihos.b lasted less than a week before a modified version of the botnet started infecting computers. Microsoft’s takedown of Waledac, another spam botnet in 2010, lasted only as long as the time it took its creators to modify its architecture slightly and create a new botnet.

So what’s to say Grum’s creators will not just run their botnet from a new command and control center tomorrow?

“It’s not about creating a new server. They’d have to start an entirely new campaign and infect hundreds of thousands of new machines to get something like Grum started again,” said Atif Mushtaq, a computer security specialist at FireEye.”They’d have to build from scratch. Because of how the malware was written for Grum, when the master server is dead, the infected machines can no longer send spam or communicate with a new server.”

Source: New York Times

Smartphone scams: Owners warned over malware apps

Get Safe Online says that there has been an increase in smartphone malware as the market has grown.

Criminals are typically creating Trojan copies of reputable apps and tricking users into installing them.

Once on the phone, the app can secretly generate cash for criminals through premium rate text messages.

Get Safe Online, a joint initiative between the government, police and industry, said it was concerned that users of smartphones, such as Android devices, were not taking steps to protect their devices.

Get Safe Online said fraudsters are designing apps which generate cash secretly in the background without the owner realising until their monthly bill.

A typical scam involves an app designed to send texts to premium rate services without the user knowing.

Apps can appear to be bona fide software or sometimes masquerade as stripped down free versions of well-known games.

Rik Ferguson, a hacking researcher with internet security firm Trend Micro, said: “This type of malware is capable of sending a steady stream of text messages to premium rate numbers – in some instances we’ve seen one being sent every minute.

“With costs of up to £6 per message, this can be extremely lucrative. The user won’t know this is taking place, even if they happen to be using the device at the same time, as the activity takes place within the device’s back-end infrastructure.”

Online banking

Another major security firm, Symantec, recently warned in its annual threat assessment that Android phones were at risk and that it had found at least six varieties of malicious software.

Minister for Cyber Security Francis Maude said: “More and more people are using their smartphone to transmit personal and financial information over the internet, whether it’s for online banking, shopping or social networking.

“Research from Get Safe Online shows that 17% of smartphone users now use their phone for money matters and this doesn’t escape the notice of criminals.”

Tony Neate, head of Get Safe Online, urged people to check their phone’s security.

“Mobile phones are very personal. I have talked to people who are never more than a yard away from their mobile phone. Because of that attachment, they start to think that they are in a way invincible.

“It’s the end user that picks up the tab – it’s your phone that incurs the costs. Whether you have pay-as-you-go or a monthly account, that money is going to come from the account and go to the criminal.”

Source: BBC News

Fake FlashPlayer for Mac OS X leads to site redirection attacks

Researchers at F-Secure have intercepted a new malicious threat for Apple’s Mac OS X — a Trojan that redirects users to fake Google web sites.

The Trojan is currently being delivered via fake a Adobe Flash Player (FlashPlayer.pkg) update, F-Secure said in a blog post.

Once installed, the trojan adds entries to the hosts file to hijack users visiting various Google sites (e.g., Google.com.tw, Google.com.tl, et cetera) to the IP address 91.224.160.26, which is located in Netherlands.

The server at the IP address displays a fake webpage designed to appear similar to the legitimate Google site.

“Even though the [Google] page looks fairly realistic, clicking on any of the links does not take the user to any other sites. Clicking on the links does however open new pop-up pages, which are all pulled from a separate remote server,” F-Secure said, nothing that this attack may be aimed at serving ads to infected Mac OS X machines.

Apple has struggled recently with scareware attacks on its platform and the latest sighting is further proof that the increase in Mac OS X market share has attracted the attention of malware writers.

Source: ZDNet

Researcher Says That 8% of Android Apps Are Leaking Private Information

Android has had its fair share of malware problems. Whenever malware are detected, Google reacts swiftly and remove them. However, according to security researcher Neil Daswani, around 8% of the apps on the Android market are leaking private user data.

Neil Daswani, who is also the CTO of security firm Dasient, says that they have studied around 10,000 Android apps and have found that 800 of them are leaking private information of the user to an unauthorized server. Neil Daswani is scheduled to present the full findings at the Black Hat Conference in Las Vegas which starts on July 30th.

The Dasient researchers also found out that 11 of the apps they have examined are sending unwanted SMS messages.

Google needs to take charge

This malware problem on Android has become too much. One of the main reason that we see malicious apps in the market is because of the lack of regulation in the apps that get into the Android Market.

Sure, the lack of regulation can be good. It means that developers can make their apps without worrying if Google will accept their apps or not. It fits into the pre-existing application distribution model where anyone can develop and publish their own apps.

However, this comes at a price – the malware problem. Yes, most of the problems with these malicious apps can be avoided if only users read the permission requirements of the apps. But, what percentage of the users actually read the permission requirements of all the apps they download?

I think that it is time that Google make approval of the apps a requirement before it gets into the Market. They do not need to do it like Apple, but a basic security check before an app gets on the market will be nice.

If nothing is done about and this problem is allowed to grow, it will end up killing the platform.

Ryan:  I’ve been using Lookout Mobile Security on Android OS for awhile now and it appears to be working great. You can find it here.

Source: Digitizor

 

Fake Anti-Virus Software Targets Firefox Users

One of the most malicious types of Malware out there is the Fake Anti-Virus. These malware programs get onto your machine, post as anti-virus software, warn you that your computer is full of viruses and needs to be cleaned. Of course, it’s cleaned by entering your credit card number to buy the “anti-virus program.” Most people aren’t fooled by these programs, but they’re nasty anyway since they often make it difficult to access your real anti-malware programs.

Well, if you use Firefox on a Windows PC to surf the web, be warned. There’s a new species of Fake Anti-Virus malware targeting Firefox users. Sophos reports that it directs you to a screen that looks exactly like Windows Update — except that when you click the button to update your computer, you get a nice, tasty dose of malware instead.

The page is nearly an exact replica of the real Microsoft Update page with one major exception… It only comes up when surfing from Firefox on Windows. The real Microsoft Update requires Internet Explorer.

The same site was also hosting the traditional Windows XP explorer scanner we have seen for years, as well as a new Windows 7 scanner.

Similar to spam messages that have corrected their grammar and use correct imagery and CSS, the attackers selling fake anti-virus are getting more professional.

They use high quality graphics and are using information from our UserAgent strings that are sent by the browser to customize your malware experience.

As always when surfing the web, if something pops up, always be leery. And always verify what site you’re downloading any file from. Especially if you didn’t initiate the download.

Source: Forbes

Apple releases ‘Mac Defender’ security update

Apple has just released a security update for Mac OS X that is designed to detect and remove Mac Defender malware. But unless you’re running the latest ‘Snow Leopard’ version, you’re outta luck.

Apple security update 2011-003 (only for Snow Leopard) consists of three components:

File Quarantine
Malware detection definitions for OSX.MacDefender.A has been added to the File Quarantine system.

Automatic Updates
The system will check daily for updates to the File Quarantine malware definition list. An opt-out is available.

Malware Removal
The update will scan and remove Mac Defender and known variants.

This update is available for Mac OS X v10.6.7 and Mac OS X Server v10.6.7 (if you’re using an earlier version of Mac OS X, tough, Apple doesn’t love you) via Software Updates or via Apple Downloads. No reboot required.

Hello Mac OS X users, welcome to the world of daily malware signature updates.

Source: ZDNet

Apple acknowledges Mac Defender malware, promises software update

Apple has decided to publicly acknowledge the Mac Defender malware that seems to be creeping onto Mac users’ computers. The company posted an online support document Tuesday evening that outlines how to identify and get rid of the program, which attempts to trick users into handing over their credit card information. The company also promised to issue a software update soon that will specifically hunt out and remove Mac Defender and its variants.

“A recent phishing scam has targeted Mac users by redirecting them from legitimate websites to fake websites which tell them that their computer is infected with a virus,” Apple wrote in its support document. “In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware.”

The much-welcome acknowledgement from Apple comes less than a week after it came out that real users were beginning to see this malware in the wild a little more often than usual. When we investigated the issue, we were told by several Apple Store Geniuses that they had also seen a spike—one Genius at a large Apple Store said he had seen malware reports in his store go from approximately 0.2 to percent to 5.8 percent in a matter of weeks, with the large majority of those being Mac Defender or its variants, often known as Mac Security or Mac Protector. (Smaller, third-party support folks were somewhat split on whether there had been a spike in malware reports.)

At the time, one of the more controversial aspects of Apple’s reaction was that there was none—Apple had instructed its AppleCare and retail staff not to even acknowledge Mac Defender’s existence, and not to remove it from users’ infected computers.

Now, however, the company has apparently had a change of heart. In the support doc, Apple says to trash the app immediately if you haven’t installed it yet, but if you have, there’s a series of steps to follow in order to get rid of it. And, of course, there’s also the lazy route: if you have Mac Defender installed but haven’t given it your credit card information yet, you could just wait for Apple to issue its software update and have it removed automatically. Or, you can use the Mac Defender removal tool from Icrontic.

Source: Ars Technica

Fake security software takes aim at Mac users

Scammers are distributing fake security software aimed at the Mac by taking advantage of the news that al-Qaeda leader Osama Bin Laden has been killed by U.S. forces, a security researcher said today.

A security firm that specializes in Mac software called the move “a very big step forward” for malware makers targeting Apple’s users.

Phony antivirus software, dubbed “rogueware” by security experts, has long plagued people running Microsoft Windows, but this is the first time scammers have targeted the Mac with a sophisticated, professional-looking security application, said Peter James, a spokesman for Intego, a Mac-only antivirus company headquartered in France.

“This is indeed a very big step forward for Mac malware,” said James.

The program, dubbed MAC Defender, is similar to existing “rogueware,” the term for bogus security software that claims a personal computer is heavily infected with malware. Once installed, such software nags users with pervasive pop-ups and fake alerts until they fork over a fee to purchase the worthless program.

Until now, rogueware has been exclusively targeting Windows PCs.

That’s changed, according to Kurt Baumgartner, a senior malware researcher with Moscow-based Kaspersky Lab, who today said that one group distributing MAC Defender has also been actively spreading Windows rogueware.

“They have been revving up for this for months,” said Baumgartner of the work to prep MAC Defender.

Last month, Baumgartner had reported that “.co.cc” domains — which are often used to spread malware and host attack code-infected Web sites — had begun to host fake security sites and deliver the “Best AntiVirus 2011” rogueware.

During his early-April sweep through the .co.cc domains, Baumgartner found a URL explicitly aimed at Macs: “antispyware-macbook(dot)co(dot)cc”.

“It is very odd that this group is marketing ‘Fast Windows Antivirus 2011’ from ‘macbook’ domains,” Baumgartner said at the time in a blog post.

Today, Baumgartner said that a group using .co.cc domains was serving up fake security software for Macs as part of a broader campaign to trick Windows users into downloading and installing phony programs.

That campaign is currently exploiting the hot news topic of Bin Laden’s death to get people to click on links that redirect their browsers to the rogueware downloads. The scammers have used “black hat” SEO (search engine optimization) tactics to push links to rogueware higher on Google Images’ search results.

But that’s not the only way Mac owners have been duped into installing MAC Defender.

On Saturday — the day before President Obama announced the killing of Bin Laden — messages from infected users began appearing on Apple’s support forums.

“What is macdefender and why is it trying to install itself on my computer?” asked someone identified as “wamabahama” on April 30.

“FYI, my daughter said the program started after clicking on a ‘hair style photo,'” added “Mr. Fix It Home Services” on the same support thread. Others reported stumbling upon MAC Defender after searching for images of prom tuxedos or for pictures of a character in the movie “Princess Bride.”

On Monday, Intego published a detailed advisory about MAC Defender, noting that that it was “very well designed, and looks professional.”

Intego spotted MAC Defender and acquired samples on Saturday, said James, who pointed out that users must enter their administrative password to install the program. “So there’s still a social engineering angle here,” he said.

In fact, users see a generic Windows-oriented page when they first click a link to the rogueware. “They’re not even getting a Mac-specific page,” James said.

But unless users have Safari set not to automatically open files after downloading, MAC Defender’s installation screen opens without any user action. That’s been enough to con some into approving the install by typing their administrative password.

The program also relies on an unusual technique to make users pay up.

“Every few minutes, it opens a porn page in the browser,” said James of MAC Defender. “We think they’re doing this because most people will assume that that means they’ve got a virus on their Mac, and they need to get rid of it by paying for the program.”

MAC Defender demands $60-$80, depending on whether users select a one-year, two-year or lifetime “license.”

Ironically, there are only eight to 10 serial numbers that MAC Defender accepts, said James, and those are tucked into the binary file — unencrypted — where advanced users may be able to root them out.

James also called out the MAC Defender’s look and feel as an indicator that the criminals are serious about reaping profits from Mac users. “This was done by a very sophisticated Mac interface developer,” James said. “It’s an obvious sign that [scammers] are starting to target Macs. Earlier [scams], such as 2008’s MacSweeper just didn’t bother trying to look professional.”

Intego spotted MacSweeper, a fake Macintosh system cleaning program, in January 2008.

MAC Defender has also created some collateral damage: The rogueware uses the same name as a legitimate German company that develops Mac software.

“A new malware application named MAC Defender (MacDefender.app) for OS X surfaced a few days ago,” warned the MacDefender site. “If you see an application/installer named like this DO NOT DOWNLOAD/INSTALL it. I would never release an application named like this.”

The rogueware’s name choice was probably a twist on “PC Defender” and “Windows Defender,” phrases used in the titles of numerous Windows-based fake AV programs, said James.

Mac users running Safari can prevent MAC Defender from automatically opening after it downloads by unchecking the box marked “Open ‘safe’ files after downloading” at the bottom of the General tab in the browser’s Preferences screen.

Source: ComputerWorld

Android Phone: New Virus Warning on Android Devices

An android phone virus has been spotted in China that is aimed at revealing users encrypted personal information. NetQin, a global leader in mobile security, warned today that the new malware, called Hong Tou Tou, is specifically aimed at Android devices. Hong Tou Tou was discovered on February 18.

The Hong Tou Tou virus has been discovered in two strains. The DB.HongTouTou.A hides itself behind a legitimate phone app. Once activated, the mobile malware connect to a network in the background and collects and encrypts the users private data, not excluding passwords, bank information and credit card information. This private information is sent to a remote server. BD.Hong Tou Tou.B lures users to download and install the app “Dynamic Footprint Wallpaper. After installation, the virus connects in the background and attempts to collect user data nd send it to a remote server.

Android users are encouraged to use NetQin Mobile Anti-Virus 4.6. NetQin Mobile Anti-Virus 4.6 can be downloaded at http://www.netqin.com/products/antivirus/  This application will, with a high scan capability, fully protect one’s most trusted device.

NetQin also advises smart and responsible smartphone use. Avoid downloading apps that are ‘cracked versions’ or ‘revised versions’ as these versions may contain the nasty virus. Over ten per cent of the apps on the Android Market were discovered to be cracked, repackaged or not submitted by the original developer. Download apps only from trusted and reputable sources – ignore the Android Alternate Markets. Never ever accept application requests without knowing the application’s source. Monitor closely an apps permission request; an app should never ask for more that what it offers in its official list of features. Be aware of unusual behavior on the smart device, such as stealthy network connection or sending SMS without authorizations.

Source: Thinking Clearly

‘Most Sophisticated’ Android Trojan Surfaces in China

Geinimi, a highly sophisticated Trojan, has been detected in Android devices in China.

However, it appears to be more of a sign of things to come rather than a serious threat to U.S. Android users.

Dubbed Geinimi (a scrambulation of Gemini) by Lookout Mobile Security, a startup based in San Francisco, the botnet-like Trojan sends location information, device identity and even stored contacts to an unknown server.

According to Lookout co-founder Kevin MaHaffe, the most significant feature of Geinimi is its sophisticated command-and-control mechanism.

“A server can tell the Trojan what it can do, which makes it more advanced than other Android malware we’ve seen,” he said. ”

The mobile Trojan has been found in apps infected and repackaged to look like legitimate apps, and uploaded onto Chinese third-party app stores. Infections have been found in games like “Monkey Jump 2,” “Sex Positions,” “President vs. Aliens,” “City Defense,” and “Baseball Superstars 2010.”

GetJar and Android Marketplace have not reported any cases yet.

One quick and dirty method for detecting mobile Trojans, MaHaffe says, is to learn an app’s permissions and compare them to what the downloaded app is actually asking for. For instance, if the app’s description only lists requests for age and gender, a red flag should go up if your downloaded app suddenly asks for your home address, too.

Although the Geimini Trojan has yet to land in the U.S., MaHaffe warns smartphone users not to get lazy about protecting their phones as mobile malware becomes increasingly sophisticated.

“Attackers are still figuring it out on the mobile landscape,” he said. “There’s a lot of sophistication for PC malware, but smartphone users need to start protecting their phones as they do their computers.”

For starters, MaHaffe advises people to use the same level of discernment towards smartphone downloads as they would with PC downloads.

“People probably wouldn’t download software from nefarious Web sites,” he said. “Same thing with mobile apps—be careful where you download mobile apps from. Look at developer ratings, user reviews of the app.”

Source: PC Magazine